From 529a517a7a2b851539b0fd2163b56979bb3a8608 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 12 2018 16:20:32 +0000 Subject: * Mon Mar 12 2018 Lukas Vrabec - 3.14.2-5 - Allow bluetooth_t domain to create alg_socket BZ(1554410) - Allow tor_t domain to execute bin_t files BZ(1496274) - Allow iscsid_t domain to mmap kernel modules BZ(1553759) - Update minidlna SELinux policy BZ(1554087) - Allow motion_t domain to read sysfs_t files BZ(1554142) - Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738) - Allow l2tp_t domain to read ipsec config files BZ(1545348) - Allow colord_t to mmap home user files BZ(1551033) - Dontaudit httpd_t creating kobject uevent sockets BZ(1552536) - Allow ipmievd_t to mmap kernel modules BZ(1552535) - Allow boinc_t domain to read cgroup files BZ(1468381) - Backport allow rules from refpolicy upstream repo - Allow gpg_t domain to bind on all unereserved udp ports - Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) - Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) - Allow xdm_t domain to sys_ptrace BZ(1554150) - Allow application_domain_type also mmap inherited user temp files BZ(1552765) - Update ipsec_read_config() interface - Fix broken sysadm SELinux module - Allow ipsec_t to search for bind cache BZ(1542746) - Allow staff_t to send sigkill to mount_t domain BZ(1544272) - Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545) - Label ip6tables.init as iptables_exec_t BZ(1551463) - Allow hostname_t to use usb ttys BZ(1542903) - Add fsetid capability to updpwd_t domain BZ(1543375) - Allow systemd machined send signal to all domains BZ(1372644) - Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876) - Allow sysadm_t to create netlink generic sockets BZ(1547874) - Allow passwd_t domain chroot - Dontaudit confined unpriviliged users setuid capability --- diff --git a/.gitignore b/.gitignore index 8312177..c2f6ab7 100644 --- a/.gitignore +++ b/.gitignore @@ -256,3 +256,5 @@ serefpolicy* /selinux-policy-contrib-9facb1c.tar.gz /selinux-policy-contrib-f564072.tar.gz /selinux-policy-bd7ad92.tar.gz +/selinux-policy-9bd65d3.tar.gz +/selinux-policy-contrib-fbc0290.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index f8c5c69..2c2353c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 bd7ad92fc722388928f9441892a078018914cb7b +%global commit0 9bd65d321e20805535392f3ea1bad8ac093bf7b5 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 f5640723a5d5982bde2a85b6003c12d2fbf976b6 +%global commit1 fbc029066ded32b6ddafb04023743ec25ebc6197 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -714,6 +714,38 @@ exit 0 %endif %changelog +* Mon Mar 12 2018 Lukas Vrabec - 3.14.2-5 +- Allow bluetooth_t domain to create alg_socket BZ(1554410) +- Allow tor_t domain to execute bin_t files BZ(1496274) +- Allow iscsid_t domain to mmap kernel modules BZ(1553759) +- Update minidlna SELinux policy BZ(1554087) +- Allow motion_t domain to read sysfs_t files BZ(1554142) +- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738) +- Allow l2tp_t domain to read ipsec config files BZ(1545348) +- Allow colord_t to mmap home user files BZ(1551033) +- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536) +- Allow ipmievd_t to mmap kernel modules BZ(1552535) +- Allow boinc_t domain to read cgroup files BZ(1468381) +- Backport allow rules from refpolicy upstream repo +- Allow gpg_t domain to bind on all unereserved udp ports +- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) +- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) +- Allow xdm_t domain to sys_ptrace BZ(1554150) +- Allow application_domain_type also mmap inherited user temp files BZ(1552765) +- Update ipsec_read_config() interface +- Fix broken sysadm SELinux module +- Allow ipsec_t to search for bind cache BZ(1542746) +- Allow staff_t to send sigkill to mount_t domain BZ(1544272) +- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545) +- Label ip6tables.init as iptables_exec_t BZ(1551463) +- Allow hostname_t to use usb ttys BZ(1542903) +- Add fsetid capability to updpwd_t domain BZ(1543375) +- Allow systemd machined send signal to all domains BZ(1372644) +- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876) +- Allow sysadm_t to create netlink generic sockets BZ(1547874) +- Allow passwd_t domain chroot +- Dontaudit confined unpriviliged users setuid capability + * Tue Mar 06 2018 Lukas Vrabec - 3.14.2-4 - Allow l2tpd_t domain to create pppox sockets - Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251) diff --git a/sources b/sources index 0413927..7d61733 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (container-selinux.tgz) = 034b1fe897360274159e54b0f872919a275522abf8017bf5d2fae4c43e5475367b850e1448edbeee0281ac8a1f208a21da0ee96bf86cba995008c597f8e06c58 -SHA512 (selinux-policy-contrib-f564072.tar.gz) = 35587369042238f95d80f8591fc6159fecb4b08c1a72f4ea09dc4cb14198353f2cfb20db11b51cf20244656e408fd119abcaf02c1784455dd33b31c35f11f809 -SHA512 (selinux-policy-bd7ad92.tar.gz) = 36239c76258f147d432de05a75cf26111671953f60a124cfab01bc8eb66be45e34c52357c0e0e864f30db045e8a7da75a75c16a2c0116716c26bedfb52485d6b +SHA512 (selinux-policy-9bd65d3.tar.gz) = b9b0b072c1dafa8486bbb0c382d255dcbd4abace88f2fc11da7f589434f84f0a431ed291eac97154a824c5189b7fc15cc97be261b3d3c8459303a807ac5c89a3 +SHA512 (selinux-policy-contrib-fbc0290.tar.gz) = 7c0ff61e5a1ed83892f2c71d319dcc9bd1ba0a99b3417bee3fa777ed5e01f5da69a702b8002e0243680416a46125491df60c4896dcac2fdfef1c994132aa640c +SHA512 (container-selinux.tgz) = 4964b40739da515351520f35d3d3164cd0746acc4db53ad26e260dfe210d2a0b9d7cab6c7159033392ed146cdadc357b6c9e870ab05bf3220372776cda1fee37